See discussion in Bug 985766, especially https://bugzilla.mozilla.org/show_bug.cgi?id=985766#c9.
Component: Server: Firefox Accounts → Android Sync
Product: Mozilla Services → Android Background Services
rnewman: this should be tracking 29, but I don't have permissions (!?).
To be precise, the requests should always *provide* payload verification hashes. HAWK clients don't have a way to ask the server to verify payloads or not (that's the server's decision). Also, we should be clear that this isn't about having the client verify *responses*, which is another option in the HAWK world (which we don't use). It's only about having requests include a "hash=" attribute in the "Authorization:" header, which contains a hash of the payload. The current code only does this for a few (one?) kinds of requests; the desired behavior is to do it for all POSTs.
warner: Roger that. This will mean making FxAccountClient.RequestDelegate set the boolean based on the request method (or similar).
Summary: Make Android FxAccountClient* HAWK requests always request payload verification → Make Android FxAccountClient* HAWK requests always include request payload hash
The PR in Bug 985766 is, in fact, addressing this ticket. Will update the bug number before landing.
Well, that was a bumpy landing. https://hg.mozilla.org/integration/fx-team/rev/4a44ad0248ba
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 31
You need to log in before you can comment on or make changes to this bug.